Cross Site Scripting (XSS): A Client Side Web Security Attack

When something is accessible to someone other than yourself, the first thing that crosses the mind is how to securely share your information with the rest? In current world where information is becoming digital and accessible to everyone, at the same time, its important to understand the restriction on the accessibility of the information, which ultimately leads to the fact that how to ensure security of the information which is restricted in nature but at the same time easily accessible to the concern community.


When we talk about web security, which is a very wide area, the most common security threat that an engineer heard about again and again is the Cross Site Scripting (XSS), Today, I shall try to explain what Cross Site Scripting (XSS) is all about? What common types it has? What are some of common prevention method adopts to prevent it and What are some common tools to detect vulnerabilities in a link being sent. My main focus of Cross Site Scripting (XSS) attack will be from client side security attack perspective.

Before the advancements in the web security domain, the after shocks of Cross Site Scripting (XSS) attacks were usually made responsibility of the end-user because he/she has opened a website unknown to him/her, but, as the advancement moves into both hacking and web security domains, website companies become equally responsible to prevent Cross Site Scripting (XSS) attacks happening particular on their websites. As an example, let say that the end-user receives a link of an authenticated website, but, in reality, that link is sent from hacker to steal the information of the end user, so, in this scenario the responsibility lies equally on the website company to prevent the hacking.

 Cross Site Scripting (XSS)

Injection of malicious code into trust worthy web site in order to extract vital information about the end-user from  the website or to propagate virus to end-user system.

How does XSS attack occurs?

1) Email -> Email is received from an authenticated web link of known website, tempting end-user to open the link.

2) Social Engineering Techniques -> Use of Social Engineering Techniques to convince the end-user to open the malicious link.

Consequence of Malicious XSS Attack via JavaScript

1) Cookie Theft -> Stealing of the sensitive information via cookies associated with websites. In this scenario, the attacker can access the victim’s cookies associated with the website using document.cookie, send them to his own server, and then use them to extract sensitive information like session IDs.


2) Keylogging
-> Stealing user inputs e.g. password, credit card etc. via hooking keyboard listener. In this scenario, the attacker can register a keyboard event listener using addEventListener and then send all of the user’s keystrokes to his own server, potentially recording sensitive information such as passwords and credit card numbers.

 
3) Phishing-> Inserting fake forms e.g. login form by manipulating DOM and steal user credentials. In this scenario, the attacker can insert a fake login form into the page using DOM manipulation, set the form’s action attribute to target his own server, and then trick the user into submitting sensitive information.

What is Phishing?

The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers online.

Cross Site Scripting (XSS) Type

1) Stored (Persistent) XSS:

Injecting malicious script permanently into web application database e.g. via comments. The most damaging type of XSS is Stored (Persistent) XSS. Stored XSS attacks involves an attacker injecting a script (referred to as the payload) that is permanently stored (persisted) on the target application (for instance within a database). The classic example of stored XSS is a malicious script inserted by an attacker in a comment field on a blog or in a forum post.

 

I have taken the above diagram from here, I do not own it. Let me explain what the above diagram shows step by step i.e.

 

1) In step-1, the attacker uses comment box on a a website’s to insert a malicious string into the website’s database.

 

2) In step-2, the end-user (victim) opens the page from that website which contains comments along with the malicious comment from the attacker.

 

3) In step-3, when the website receives the end-user request, it simply compile the response which also includes the malicious string from the database that hacker previously inject via comment in the response and sends it to the end-user (victim).

 

4) In final step-4, when end-user (victim) receives the response, the browser of the end-user will executes the malicious script inside the response, sending the end-user’s (victim’s) cookies to the attacker’s server.

2) Reflected XSS:

Injecting malicious script into web application via HTTP Request e.g. request parameter of URL in case of searching. The second, and by far the most common type of XSS is Reflected XSS. In Reflected XSS, the attacker’s payload script has to be part of the request which is sent to the web server and reflected back in such a way that the HTTP response includes the payload from the HTTP request. Using Phishing emails and other social engineering techniques, the attacker lures the victim to inadvertently make a request to the server which contains the XSS payload and ends-up executing the script that gets reflected and executed inside the browser. Since Reflected XSS isn’t a persistent attack, the attacker needs to deliver the payload to each victim – social networks are often conveniently used for the dissemination of Reflected XSS attacks.

3) DOM-based XSS:

Advance malicious code injection via DOM manipulation. DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code. The most dangerous part of DOM-based XSS is that the attack is often a client-side attack, and the attacker’s payload is never sent to the server. This makes it even more difficult to detect for Web Application Firewalls (WAFs) and security engineers analyzing the server’s logs since they will never even see the attack.

XSS Attack Prevention Techniques

1) Data Validation

Restrict user input on both server and client side by either rejecting script base input or via data sanitization.

2) Date Encoding

Encode request parameters in URL and encode user input, so, that browser interprets input as data and  not as code.

3) Content Security Policy (CSP)

The disadvantage of protecting against XSS by using only secure input handling is that even a single lapse of security can compromise your website. A recent web standard called Content Security Policy (CSP) can mitigate this risk. CSP is used to constrain the browser viewing your page so that it can only use resources downloaded from trusted sources. A resource is a script, a stylesheet, an image, or some other type of file referred to by the page. This means that even if an attacker succeeds in injecting malicious content into your website, CSP can prevent it from ever being executed.
A web security standard introduced in 2004 to prevent cross cite scripting by defining prevention rules i.e.
1) No untrusted sources -> External resources can only be loaded from a set of clearly defined trusted sources.
 
2) No inline resources -> Inline JavaScript and CSS will not be evaluated.
 
3) No eval -> The JavaScript eval function cannot be used.

Tools for Testing XSS Vulnerabilities

1) XSS Scanner -> http://xss-scanner.com/
2) Scan My Server  -> https://www.scanmyserver.com/
3) SUCRI -> https://sitecheck.sucuri.net/
4) SSL Labs -> https://www.ssllabs.com/ssltest/
5) Acunetix  -> http://www.acunetix.com/

Conclusion

In today’s post you will learn about detail of Cross Site Scripting (XSS) in general. You will learn about what Cross Site Scripting (XSS) is all about? What common types it has? What are some of common prevention method adopts to prevent it and What are some common tools to detect vulnerabilities in a link being sent.

Disclaimer

Apart from title image, all other images have been taken from the internet. I do not own any image used above here except from title image.

2 thoughts on “Cross Site Scripting (XSS): A Client Side Web Security Attack

Leave a Reply